Security Essentials for Mobile Devices

10 Tips for Your Company Policy

Do you use your personally owned smartphone or tablet computer for work? Odds are your employees do.

Security IT experts say this "consumerization" is a top problem. Secure Computing magazine reports that 75 percent of new cybercrime attacks target mobile applications.

Why Act Now: The Costs

Security breaches are costly—in work delays, staff hours lost, brand damage, lawsuits, and fines. For example, the average cost to notify a customer whose financial information might have been breached (as required by California law) is $250; if 500 customers are affected, the cost is $125,000.

Another problem: Personal apps can eat up bandwidth on your company network.

If ignored, the security risks and bandwidth burden will grow. Hundreds of thousands of new mobile devices are being activated daily.

"No" Isn't an Option

Any company that believes it can "just say no" to the use of personal devices is in denial. "IT consumerization is inevitable," says Kerry Bailey, a senior vice president at Verizon.

On the plus side, mobile devices in the hands of management and staff deliver big productivity benefits. Gartner, Inc. predicts that within the next three years, 90 percent of companies will support corporate applications on personal mobile devices.

Acceptable Use Policy

An AUP sets guidelines for the use of computing resources, to protect against unsafe practices. It is a legal document that must be signed by all employees, temporary staff, contractors, and others who use the resources. Signatures protect against the excuse, "I didn't know."

Hopefully, you already have an AUP for your company's network, desktop computers, and laptops.

Following are 10 ways to simplify and speed the creation of your AUP for mobile devices.

1. Save time by starting with a template. AUP templates are available from Cisco Certified Partners that are security specialists, and can also be found online for free or for purchase. Then customize the template to your company's needs.

2. Raise employee awareness. Most users know little about security risks—and have a low tolerance for security controls. Build buy-in by conveying reasons to care: Mobile device security can protect employees' own private data, improve system performance, and prevent job layoffs due to the costs of security breaches.

3. Involve employees in developing your AUP. Enlist a committee to customize the policy for your business. A committee that represents your company's functional departments and employee interests will increase the AUP's effectiveness.

4. Decide which company systems the devices may access. You'll likely require that mobile devices use specific wireless routers and access points; your company can automate enforcement by configuring its Cisco routers and switches for virtual network (VLAN) access. Assign strong passwords periodically for access. Also decide if mobile devices may dock and sync with company PCs.

5. Define the websites and apps that devices may use. You may require that all company use be business-relevant (prohibiting personal email, shopping, and gaming, for example). Also define policies on the use of social media sites and GPS-enabled apps. Your company can enforce such policies automatically, using Cisco ProtectLink products, Small Business RV Series Routers, and security appliances.

6. Ensure that users who connect remotely use VPNs. When employees connect to your company network from home or while traveling—or your business partners connect from their site—stipulate that their session be encrypted.

7. Require that the devices use security software. You can require specific firewall, password protection, antivirus, backup, encryption, or other security apps. Some can locate a lost or stolen smartphone, lock it, and wipe its data. Mobile device management (MDM) applications offer extensive company control, with "consumer" and "corporate" partitions.

8. Require staff and contractors to register their personal devices before they use any company resources. At a minimum, register the employee's name and the device name, MAC address, operating system, and serial number.

9. Educate and train users. Whenever you institute a policy, clearly communicate it and address all questions and concerns.

Consumerization is inevitable. With a company AUP, you'll be protecting against unsafe practices—and your techies can use network and security solutions to identify suspicious activity and policy violations. Security is in your hands.